XPost: linux.debian.devel.release

Package: release.debian.org
Severity: normal
Tags: bookworm security
X-Debbugs-Cc: team@security.debian.org
User: release.debian.org@packages.debian.org
Usertags: binnmu
Control: block -1 by 1106761

Dear release team,

An untrusted LD_LIBRARY_PATH environment variable vulnerability has been
found in the GNU libc, affecting *static* binaries (CVE-2025-4802). It
allows attacker controlled loading of dynamically shared library in *statically* compiled setuid binaries that call dlopen.

The issue is fixed in glibc/2.36-9+deb12u11, once accepted in
bookworm-pu (see bug #1106761). I haven't found any static binary with
setuid or setgid bit set in the archive, but I think we should rebuild
all static binaries in cases some users have changed the permission of
some of them.

This is the list of binNMU computed using Built-Using, assuming that d-i
and dini will get an upload anyway for the point release:

nmu 9 bash_5.2.15-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 5 busybox_1:1.35.0-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 16 cdebootstrap_0.7.8 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 6 chkrootkit_0.57-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 5 dar_2.7.8-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 2 docker.io_20.10.24+dfsg1-1+deb12u1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu qemu_1:7.2+dfsg-7+deb12u13 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 23 sash_3.8-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 10 supermin_5.2.2-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 13 tripwire_2.4.3.7-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 7 zsh_5.9-4 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'

I also found the additional following ones by scanning the archive:

nmu 5 balboa_2.0.0+ds-5 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 2 catatonit_0.1.7-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu e2fsprogs_1.47.0-2 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu gnupg2_2.2.40-1.1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu integrit_4.1-3 . arm64 armel armhf mips64el ppc64el s390x -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)' # Some architectures use dietlibc
nmu libcap2_1:2.66-4+deb12u1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu lxc_1:5.0.2-1+deb12u3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 6 snapd_2.57.6-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 3 tini_0.19.0-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 3 tsocks_1.8beta5+ds1-1 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'
nmu 2 ydotool_0.1.8-3 . ANY . -m 'Rebuild against glibc 2.36-9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'

In addition, the following packages will need a sourceful upload as they
can't be binNMUed:
cross-toolchain-base_66
cross-toolchain-base-mipsen_24
cross-toolchain-base-ports_62

Regards
Aurelien

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Control: tags -1 + confirmed

On Thu, 2025-05-29 at 18:24 +0200, Aurelien Jarno wrote:

An untrusted LD_LIBRARY_PATH environment variable vulnerability has
been found in the GNU libc, affecting *static* binaries (CVE-2025-
4802).
It allows attacker controlled loading of dynamically shared library
in *statically* compiled setuid binaries that call dlopen.

The issue is fixed in glibc/2.36-9+deb12u11, once accepted in
bookworm-pu (see bug #1106761). I haven't found any static binary
with setuid or setgid bit set in the archive, but I think we should
rebuild all static binaries in cases some users have changed the
permission of some of them.

This is the list of binNMU computed using Built-Using, assuming that
d-i and dini will get an upload anyway for the point release:

Thanks for the list.

Scheduled, with added " . bookworm ", and the versions updated to
reference +deb12u12.

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Fri, 2025-06-06 at 15:11 +0100, Adam D. Barratt wrote:

Scheduled, with added " . bookworm ", and the versions updated to
reference +deb12u12.

I've had to reschedule a few builds, as the binNMU versions had been
used before for builds in unstable.

nmu 9 balboa_2.0.0+ds-5 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'
nmu 2 e2fsprogs_1.47.0-2 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'
nmu 4 gnupg2_2.2.40-1.1 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'
nmu 26 sash_3.8-5 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Fri, 2025-06-06 at 18:15 +0100, Adam D. Barratt wrote:

On Fri, 2025-06-06 at 15:11 +0100, Adam D. Barratt wrote:

Scheduled, with added " . bookworm ", and the versions updated to
reference +deb12u12.

I've had to reschedule a few builds, as the binNMU versions had been
used before for builds in unstable.

nmu 9 balboa_2.0.0+ds-5 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'
nmu 2 e2fsprogs_1.47.0-2 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'
nmu 4 gnupg2_2.2.40-1.1 . ANY . bookworm . -m 'Rebuild against glibc 2.36-9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'
nmu 26 sash_3.8-5 . ANY . bookworm . -m 'Rebuild against glibc 2.36- 9+deb12u12' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u12)'

cdebootsrap has the same source version in bookworm and sid (and
bullseye), and sid is already at +b30. :-(

I've scheduled +b35 in sid and +b31 in bookworm.

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: e2fsprogs
Version: 1.47.0-2+b2

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: bash
Version: 5.2.15-2+b9

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: lxc
Version: 5.0.2-1+deb12u3+b1

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: supermin
Version: 5.2.2-1+b10

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: tini
Version: 0.19.0-1+b3

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: cdebootstrap
Version: 0.7.8+b31

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: catatonit
Version: 0.1.7-1+b2

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: balboa
Version: 2.0.0+ds-5+b9

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: sash
Version: 3.8-5+b26

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: qemu
Version: 7.2+dfsg-7+deb12u13+b1

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: gnupg2
Version: 2.2.40-1.1+b4

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: dar
Version: 2.7.8-2+b5

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: chkrootkit
Version: 0.57-2+b6

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: busybox
Version: 1.35.0-4+b5

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: integrit
Version: 4.1-3+b1

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: libcap2
Version: 2.66-4+deb12u1+b1

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: docker.io
Version: 20.10.24+dfsg1-1+deb12u1+b2

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: ydotool
Version: 0.1.8-3+b2

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: tripwire
Version: 2.4.3.7-4+b13

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: zsh
Version: 5.9-4+b7

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

package release.debian.org
tags 1106777 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: tsocks
Version: 1.8beta5+ds1-1+b3

Explanation: rebuild against glibc 2.36-9+deb12u12

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

On Thu, 2025-05-29 at 18:24 +0200, Aurelien Jarno wrote:

  nmu 6 snapd_2.57.6-1 . ANY . -m 'Rebuild against glibc 2.36-
9+deb12u11' --extra-depends 'libc-dev-bin (>= 2.36-9+deb12u11)'

snapd FTBFS on mips*el, although I assume unrelated to any glibc
changes:

make[1]: Entering directory '/build/reproducible-path/snapd-2.57.6'
ldd: _build/bin/snap-exec: No such file or directory
ldd: _build/bin/snap-update-ns: No such file or directory
ldd: _build/bin/snapctl: No such file or directory
# usually done via `go generate` but that is not supported on powerpc GO_GENERATE_BUILDDIR=_build/src/github.com/snapcore/snapd GO111MODULE=off GOPATH=$(pwd)/_build ./mkversion.sh
*** Setting version to '2.57.6-1+b6' from changelog.
# github.com/snapcore/snapd/osutil/sys
osutil/sys/syscall.go:46:22: undefined: _SYS_GETUID osutil/sys/syscall.go:50:22: undefined: _SYS_GETEUID osutil/sys/syscall.go:54:23: undefined: _SYS_GETGID osutil/sys/syscall.go:58:23: undefined: _SYS_GETEGID
make[1]: *** [debian/rules:134: override_dh_auto_build] Error 2
make[1]: Leaving directory '/build/reproducible-path/snapd-2.57.6'
make: *** [debian/rules:109: build-arch] Error 2

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)